History of Phishing: Then and Now

Join Cybrary

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

< Back to Blog Posts

History of Phishing: Then and Now

Published: March 23, 2017 | By: rcubed | Views: 2541
save

phishing-shutterstock_598769522 Last year (2016) turned out to be a banner year for phishing. According to APWG (Anti-Phishing Working Group), the total number of phishing attacks in 2016 was 1,220,523, a 65% increase over 2015. In the fourth quarter of 2016, APWG saw an average of 92,564 phishing attacks per month, an increase of 5,753% over 12 years. If that doesn’t make your eyes pop out of your skull, then there’s probably little that shocks you. Losses from phishing exploits were estimated to be as high as $5 billion in a report released in early 2014 by Microsoft. In light of such jaw-dropping data it’s worth taking a look at phishing: its origins, its various forms, and why it remains such an effective strategy for the bad guys.

Phishing celebrated its 20th birthday last year. The practice got its start on AOL when a group of hackers and other ne’er do wells banded together to create a tool for randomly generating credit card numbers which they in turn used to create phony AOL accounts. They would then proceed to spam other AOL members with phishing attempts in order to trick users into revealing PII such as passwords, birth dates, credit card numbers, and social security numbers. The end goal was to more easily steal AOL accounts from which they could then send spam or launch further phishing attacks.

Just a guppy

These early hackers and pirates were part of a warez community that relished stealing software, games, and whatever else wasn’t nailed down. AOL eventually thwarted the group’s credit card generators in 1995, but like anything to do with hackers and hacking, it proved to be only a minor setup back. They quickly moved onto what has become the hallmark of phishing: impersonation of trusted organizations in order to con PII from unsuspecting victims. The word “phishing” had its genesis in a Usenet group for AOL and has been credited to well-known spammer and hacker, Khan C Smith. Imagine putting those credentials and accomplishment on a LinkedIn profile. The first recorded mention of the term was in the AOLHell hacking tool, which included a function for assisting in the theft of passwords and financial info belonging to AOL users.

AOL attempted to shut down the nascent phishing movement by detecting words in its chat rooms discussing the practice and then suspending accounts of those using trigger words. Undeterred, individuals involved in hacking and phishing simply substituted the character string ‘<><’ in place of any word referring to stolen credit cards, accounts, or other illegal activity. The string is ubiquitous in all HTML pages and wouldn’t raise any flags by AOL’s detection filter. It also looked a lot like the symbol for a “fish.”

The unique spelling evolved due to the association with “phreaking” which had its origins dating all the way back to the Yippie movement of the 1960s. Prior to the advent of personal computers and long before the internet, phone phreaks labored long and hard to scam Ma Bell for free phone calls. The late Yippie leader, Abbie Hoffman, described the practice in his book amusingly titled, “Steal This Book.” The notion that everything should be free also predates the founding of the Internet and AOL.

Going off to spawn

Innovation in phishing hardly stopped with scamming AOL users — as easy and lucrative as that remains even today. Sights were set on higher-valued targets. This took the form of going after financial info such as bank account numbers and SSNs. Victims received emails warning them that they needed to urgently update their billing information in order to keep their accounts active. Hackers quickly realized that they had struck gold with this tactic. Not only could they steal a victim’s password, but they could also abscond with credit card numbers, bank account info, and even the Holy Grail: a SSN. It was almost too easy!

The core approach to phishing is remarkably simple and consistent across all its various forms: gain a target’s trust (con them) by posing as genuine communication from a trusted source in order to extract PII and/or online credentials and financial info. The most common tactic is to send emails with convincing verbiage stating that the target must click on a link in order to take some form of urgent action. The links either go to a phony website where the victim is disgorged of PII or a “man in the middle” attack is deployed where the info is extracted prior to sending them on to a legitimate website. The victim is none the wiser until the eventual fallout of a drained back account or account lockout occurs. The purloined info is either used directly by the thieves for their own financial gain or sold off on the Dark Web. Citibank customers were famously victims of a MITM attack in 2006.

A Phish by any other name still stinks

In some cases, adding insult and further injury to the initial injury, is achieved by installing malware on the victim’s computer to keep the good times rolling right along. The malware then either spams contacts in the victim’s address book with more phishing messages or turns their computer into a zombie to be sold off to a botnet. Other variations of phishing consist of “spear phishing” and “whaling.” The former is where specific individuals are targeted with social engineering attacks using personally identifying details making the scam all that much more convincing. Whaling moves spear phishing up the food chain using the same tactics against higher-valued targets such as CEOs and executives in turn for higher-valued rewards.

Vishing and smishing consist of simply moving the tactic over to voice and SMS channels respectively. In-person exploits exist for the more brazen attacker where they disguise themselves as repairmen or someone else with a legitimate reason to be on premises and asking probing questions. Dean Pompilio discusses this tactic in his excellent “Cyber Threat Intelligence” course right here on Cybrary.it

Multiplying the loaves and phishes

Phishing has become a highly-organized and even commoditized industry. Phishing kits consisting of everything an enterprising hacker could possibly need to get up and running are available for purchase online. The creativity and technical expertise required of phishing pioneers during the 1990s is no longer a barrier to entry. In fact, the entire operation can now be outsourced. In addition, the countermeasures put in place by spam filters and anti-phishing filters to detect and thwart phishing exploits are equipped with features to evade these filters. A cat and mouse game if there ever was one!

But things don’t stop there. The infrastructure for hosting phishing attacks can all be rented from the web servers to host phony websites that steal PII to servers to send the phishing emails. Need a list of email addresses to spam? Check, we’ve got that. How about a way to turn those stolen credit card numbers and bank account and other financial info into cash? No problem, let us worry about that for you.

It should come as little surprise that phishing is still big business in the cybercriminal community. It just works and keeps on working. Humans are and will always be the weakest link in any cybersecurity environment. The best defense begins in your own house. Spam and anti-phishing filters, as unreliable as they may be, are your first line of defense. From there, it’s a matter of common sense coupled with a heaping helping of suspicion. Treat all forms of contact with suspicion whether it’s clicking on a link in an email or being asked for personal information over the phone, via text message, or in-person. That goes double if it’s the first date.

 

< Back to Blog Posts
Enjoy this blog post? Want more Cybytes?
Invite a Friend
and share now
Facebook Twitter Google+ LinkedIn Email
Join Cybrary
4 Comments
  1. This is a great piece of info and history education that you presented here! I truly agree with one of your closing statements “Humans are and will always be the weakest link in any cybersecurity environment.”, this fact can be attributed to numerous reasons. One of the main reasons has to do with a bit of one of the many common psychological traits that most humans possess in the willingness to trust with a blind eye and the false sense of trustworthiness gained through this common human trait. I believe, one should trust no one but thyself because in the current day and age of the cyber criminals and identity thieves attacks becoming more prevalent, sophisticated and so readily available for any individual to execute. Who can one really trust other than the one human with intentions that can truly be known and that is their own.

    • Also, thanks on inspiring me on my next article I hope to get published and share with the OP3N community. My reply contains a snidbit of my future article. Once again, Great JOB on the post.

      • Thanks for reading and commenting! Yep, those pesky humans usually find a way to mess up a good thing. That’s why cybersecurity awareness training is becoming increasingly important for not only folks working in the tech industry, but for anyone who comes in contact with an electronic device. Let us know when you’ve published your OP3N article. Looking forward to reading it!

  2. Sneakers, or be snookered…This WI truly help motivate my baby boomer tribe,at the Community centers u Volunteer at in it.
    Nice, concise writing and deepens the conversation in IoT of life
    Today and future!

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel